Online Armor & Process Guard: need both?

I currently run Process Guard and Online Armor on all my systems, but I'm beginning to wonder if I need both. I seem to be finding that the majority of things I do I'm being alerted by BOTH systems.

There are many people with far more expertise in these matters than I; am I getting any additional benefit from running both Process Guard and Online Armor, and if one of them should go, which one should it be? Please note I also run other protection software; it's just these two I'm concerned with at the moment.

Please understand that I'm really happy with both, I own multiple copies of both, and I can live with having both on all my systems. However, I don't like to have apps running on my systems if they don't need to, and if I decide to uninstall one of them, I need to have confidence that I'm not reducing my protection in some significant way that I'm unaware of. So I'd appreciate any thoughts on the question (or point me to a relevant thread).

 

The only place that they really overlap, atm, is execution control. I just disabled PG's execution control, letting OA handle it. Other than that, they cover different areas, at least as they are now.

 

DOH...why didn't I think of that...disable PG's exe protection !!! off to do that right now !

And Notok is right, exe protection is about the only overlap between the two programs.

 

I was wondering why you didn't do that too, but forgot to mention it.

Online Armor adding kernel protection soon. Online Armor has generic keylogger checking doesn't it? Is it more sophiscated comapred to PG's blocking global hooks?

 

if u disable PG execution protection, doesnt it also disable the other protection?

 

Nope, in PG you can disable each protection item individually.

 

Wow are you joking? Should have guessed you weren't, since you run everything from PG to OA to Prevx.

Actually, it's not your second chance, its your third chance.

1st chance, you double click on the exe in explorer.
2nd chance OA comes up
3rd chance PG comes up


Maybe you could ask the people at PG or Online armor, to add a 4th or 5th chance.

1st prompt : Are you sure? Yes/No <Click Yes>
2nd prompt : Are you very sure? Yes/No <click Yes>
3rd prompt: Are you very very sure? Yes/No/ Darn it Yes means yes even if you asked a thousand times!!!

 

Obviously this is "user preference". It's nice to know that a person can go either way.

 

Only if I was the pilot

 

Why? There is always the first time you run something after installing it. Those cases will far outnumber the rare case where some dangerous malware manages to run via a buffer overflow exploit in your browser etc.

I suspect, the people who let malware through, do so out of ignorance, or impatience, rather than accident misclick. You know the type , click on anything to get rid of it. For such people a double prompt won't achieve anything anyway. In fact, flashing more leads to popup fatiage and contributes to people just clicking through.

Personally, I can't think of anytime where I could benefit from a double prompting, I suspect if I made a wrong decision, I wouldn't know it not immediately anyway, so another prompt appearing 1 second later , won't make any difference.

Thank you for explaining the concept of redundancy, let me introduce you to another concept, it's called overkill. Or better yet the tradeoff concept between absolute security and ease of use.

Honestly, if you follow your line of reasoning where you fear a accidental misclick and hence use this to justify double prompts, you would have to install and run at the same time 2 firewalls, 2 registry monitors etc etc.

Or as I said before, at the very least, make your software, verify your decision twice (or better yet, require 2 or more clicks to allow) before going ahead.

It's not such a bad idea in theory to force users to jump through loops for important decisions (accepting unsigned activex, Java applets for browsers for example), but you have to pick your battles and reserve that for truly critical and rare events.

I just don't think it's realistic for most people to do it for something as troublesome as execution monitoring. To actually have 2 programs , so that it is done twice, my mind reels....

Of course, Peter disagrees, but not everyone (not even in the rarified airs of Wilders) has the patience to run online armor/prev1/PG at the same time.

Lots of reasons, computer resources, double the time spent handling prompts to the same event... etc... I'm also not certain if you can ever be sure that you work harmoniously, a fundamental security rule is to Keep things simple and reduce complexity.

I know the first isn't a big deal for you, and the second probably isn't either because you enjoy playing and "beta-testing" these tools, but as much as I share this mind set, even I draw the line at excution protection x2.

I just don't enjoy, having to click 3 times to launch something new i just installed. It gets old fast.

And if this new software happens to require firewall connections, add at least 1 more click. If it happens to require global hooks or driver install (fairly common), 1 more click.

And this excludes all the other clicks, for installing the new software in the first place, clicks for the installers, registry entries, file/kernel changes (if driver installs) etc.

All those clicks , adds up to quite a bit, for every new program you install.
Now Imagine if everything mentioned was double monitored.

I might turn them both on for testing and comparison purposes (eg comparing execution monitoring in PG,OA,SSM) , but for normal use, I figure out which is more robust, and turn off the other one.

Of course, there is a small chance of a misclick (if it's due to lack of knowledge, double monitoring isnt going to save me), but I'll take my chances in the trade off.

Or if I had a parachute, which I actually I have due to this thing called "layered security".....

 

As siliconman01 pointed out, it's nice to have the choice. I ran both for a little while during testing and found that it did have it's advantages, although I peronally opted for just OA for the time being. I don't see anyone here going on at length to extol the virtues of double execution protection, so I'm not quite sure where you're going here, Pollmaster.

 

out of curiousity, why did people suggest disabling PG execution protection and not OA's?

 

At least in my case, I like that Online Armor alerts me about .bat, .cpl, .msc and other types of files trying to execute as well. OA also can track the changes made by programs if you choose to do so, allowing to revert the changes if needed.

Cheers

 

Peter's lecture on redundancy sounds to me exactly like an attempt to extol the virtues of double execution.

 

Another reason not to use double monitoring. It would be a pity if all that double clicking, deprived all of us a knowledgable response from you.

 

This is a lecture?!? Everything else was a direct response to you.. I think you're officially trolling now, Pollmaster.

 

Notok, if expressing surprise and disagreeing with a post is called trolling, I'm sure your post is trolling as well.

And yes, Peter was responding to me, but it still is a lecture on the virtues of double protection, which prompted my overly long response. But what's your point?

 

Once you have permissions sorted for your regularly-used programs, having to deal with multiple popups for a new (or changed) program should be an infrequent occurrence so the idea is not as impractical as it may seem at first glance.

I have this with Process Guard and System Safety Monitor - SSM's popups are more informative (and easier to read since PG uses tiny fonts for the details) but SSM is less robust on my setup so PG is there should it fail for any reason.

 

I agree w/ Atlantir, it covers more and has the option to roll-back (effectively giving you a means of 'single click disinfection' should I accidently allow something), but the kicker for me was that it handles things like rundll32.exe properly without having to click 'allow' every time I go into the control panel or insert a CD. OA also alerts earlier than PG does.. that may or may not be a big deal, but it was just one more thing to tip the balance towards OA for me. I did notice that when I ran a trojan downloader that I have tucked away (small.aio, I believe), it was able to spawn IE before PG alerted, not so w/ OA.

 

Yes it would be nice to see a kernel based stable and robust solution that built on the strengths of both PG and SSM and addressed some of the weaknesses as well

I believe that OA uses mad code hook so it is doing user mode hooking, this is the alert for the kernel mode driver that comes with mad code hook so it may well be doing some kernel hooking as well (the madKernel component).

People love having arguments about kernel mode and user mode hooking, and there are appropriate times for both.

You have to consider that all system call execution paths eventually lead into kernel code and for that reason the kernel based solutions will always have the last say on what to Allow.